lambda bulletin 3.06
EUROPE'S ACTION PLAN > Content control : a draft document revealed > A controversial assessment about encryption SHORT-CIRCUITS > A case study: how police deals with encyphered evidence > Netscape's Liaisons Dangereuses?
EC telecoms, data protection, police experts are on the verge to publish their own guidelines for regulating content online. The lambda bulletin obtained a draft proposal the Commission will submit to the Council of Ministers soon, concerning self-regulation and content control. The EC also revealed on October 8 its guidelines and recommendations about security, digital signatures and encryption.
In a communication paper called "Internet Action Plan" - "draft 1.0", the EC says "Considerable work has been undertaken in the EU in the last two years on the initiative of the European Commission. The political direction given by the European Parliament and the developments in Member States show that Europe has in many respects been a pioneer in addressing the issues and proposing solutions."
"The proposed Internet Action Plan", the draft proposal continues, "is the result of the intensive consultations with all concerned carried out as part of this process. The Commission has identified areas where concrete measures are needed and where Community resources should be made available:
The Action Plan proposes a framework within which specific actions can be carried out."
Later the Commission recommends a strong police cooperation:
The EC then proposes a resolution to be approved by the Council of member states' Ministers, in which it lists some key issues.
"Nobody can be effectively prevented from encrypting data (criminals or terrorists also can use encryption for their activities), e.g. by simply downloading strong encryption software from the Internet. As a result restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies."
Thus explains the Brussels-based European Commission why tough controls on the use of encryption software could obstruct citizens from protecting themselves, without blocking criminals from using it.
The comment appears in a "Communication Paper" the EC submitted on October 8 to other European Union's bodies, such as the Council of Ministers that represents 15 national governments, and the European Parliament.
The Communication, a non-binding EC report that typically serves as the blueprints for specific future regulations, is called "Ensuring Security And Trust In Electronic Communication. Towards A European Framework For Digital Signatures And Encryption" (see a summary here).
The document, prepared by all EC directorates and especially by DG-13 that oversees telecom matters and the information society, contains many fascinating points. But like the OECD Guidelines on Encryption issued last March, the European Commission emphasized that: "The EC Treaty and the Treaty on the European Union fully respect the competence of Member States with regard to the areas of national security and law enforcement." The statement means that EC rules cannot block national policies because EU member states stay sovereign in the area -- that of national security.
But, as the EC paper goes on to state: "If national restrictions are put into place they have to be compatible with Community law. Therefore the Commission will examine whether national restrictions are totally or partially justified, notably with respect to the free circulation provisions of the Treaty...." The sentence can be applied to France, which is considering a new law that may exclude non-French nationals from taking part of its soon-to-be-implemented key escrow system.
The trusted third party, or key escrow scheme, dominates a significant portion of the EC communication. Herewith are the main points, notably those at the end, which can be considered a major controversial stance towards the establishment of TTPs (from Part III - 3: Assessment section).
Among these point, we kept an eye on this one:
Section (vii) seems to make an allusion to France, as one of the "Countries [that] would probably insist that only national TTPs could hold keys of their citizens." However, Germany has stated that storing its citizen's keys outside national borders is a possible violation of its privacy laws.
And section (viii) prevents: "Irrespective of the compatibility of restrictions with the Treaty provisions on the free circulation of goods and services, specific national controls on the use of encryption could also have a secondary effect on the free circulation of persons...."
"We are at the leading edge of what could become a serious threat to law enforcement and national security: the proliferation and use of robust digital encryption technologies," a recent study states. Nothing new there? Au contraire!
Dorothy E. Denning and William E. Baugh -- not exactly the kind of people that promote the full liberalisation of "crypto for the masses" -- offer new clues about the real effect of today's crypto tools in preventing law enforcement agencies to fight crime. Denning, professor of computer sciences at DC's Georgetown University, and Baugh, vice-president of Science Applications International Corporation (SAIC, a major defense contractor with strong ties to the U.S. intelligence community - see lambda 1.01 in French), on May 15, 1997 issued the study: "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism."
The report is only available in a paper version (summary available there); it is published by the Washington, DC-based National Strategy Information Center's U.S. Working Group on Organized Crime.
"Our findings suggest that the total number of criminal cases involving encryption world-wide is at least 500, with an annual growth rate of 50-100%." the report states. The major findings, however, is that actual encrypted material cannot be considered as a major threat for law enforcement agencies.
The authors studied in length a collection of cases where encryption was encountered by investigators, in the U.S. and abroad. It found that classic investigation methods led police to solve crimes. The police, for example, simply asked the suspects for the key to decrypt data, or by found the private key by themselves in floppy disks or on hard drives.
"True," Professor Denning said in an interview, "a lot of cases also were solved because the crypto was weak and broken. [But] What will happen when the crypto becomes unbreakable, fully integrated, easy-to-use, ubiquitous, and end-to-end?... I continue to see encryption policy as a complex issue with no easy answers." She stressed one case where the criminals/terrorists used weak crypto when they "could have used something better."
Regarding the recent U.S. congressional committee hearings on the SAFE bill, she simply said, "It's like the abortion issue." She admitted that the work on this report led her to consider that U.S. export regulations may also have some negative effects on business software development.
For the Internet community's better understanding of the problem, Ms. Denning decided to put certain parts of the study online, especially the portion where all the cases are archived. The last update is from October 7, 1997 and other cases are expected to be put online soon.
While considering encryption as a free-for-all tool at home, Netscape has other beliefs abroad.
The Mountain View, California-based company announced on October 3 in Paris a joint-venture with MatraNet, a subsidiary of Matra-Hachette (Lagardere Group), the French conglomerate with holdings in the press, telecom services and equipment, space engineering and military technologies. The joint-venture (not yet incorporated, with no name), aims to provide secure intranet and extranet services, gives Netscape a valuable foothold in the strictly regulated French market for crypto products. The deal is geared specifically for French corporations rather than wider European multinationals, explained Netscape chairman Jim Clark, speaking by telephone from California during a news conference.
Such a partnership is crucial for the company since France's new crypto laws, expected to be implemented before the end of the year, stipulate that only French entities can run so-called trusted third party systems, the repositories for users' private keys so they may be accessed for police purposes. And in a surprise announcement, a Matra official said his company would not exclude participating in any French crypto-related business, including acting as a TTP.
Indeed, Netscape's Clark recognized his company must play by the local rules. And the deal is far from done. "Until it [the venture] is approved both by the French authorities and the U.S. authorities, it doesn't really go forward," Clark added.
France considers encryption a national security threat up to the point simple use is prohibited except for special approved products. France is expected to change these laws before the end of the year. The new rules will set up a system of trusted third parties (TTPs) that allow access to encrypted communications for law enforcement purposes, officials say.
Yet the security products sold today by Matra and other French companies are not sufficiently secure because of key length limitations, note French security experts. Netscape's CEO Jim Barksdale recently said in a Wall Street Journal editorial that a "voluntary" approach was necessary for software publishers to "collaborate freely" with law enforcement agencies. But while Netscape, like others, is lobbying the U.S. Congress to adopt a market-driven approach for encryption and the police, the joint-venture with Matra will put the company in a "mandatory context," where encryption will be legal and free only if it is controled by a TTP-based system.
However, since Matra is a major French defense contractor it may make France-based multinationals reluctant to use the new French venture's secure communications system for fear of industrial espionage.
Reactions